Sri Lanka's Digital ID Project: A Foreign System Integrator's Overreach

The Controversy Surrounding Sri Lanka's Digital ID Project

Sri Lanka's ambitious digital identity (SL-UDI) project has been met with significant skepticism and concern, particularly over the role of a foreign master system integrator (MSI). The project, which aims to provide citizens with a unique digital identifier, is seen by many as a potential threat to data sovereignty and national security.

Data Sovereignty at Stake

The Department for Registration of Persons (DRP) has voiced strong reservations about the foreign MSI's control over sensitive data and profile management. P.T.G. Perera, the Acting Project Director of Sri Lanka’s electronic national identity card (e-NIC) project, has raised 22 specific concerns in a letter to the Digital Economy Ministry. These concerns include the potential for data leakage, restricted bidding to Indian companies, and the arbitration process being conducted in New Delhi, effectively bypassing Sri Lanka’s judicial system.

Key issues include:

• Data Control**: The MSI would have significant control over critical security components, potentially undermining established oversight and data security protocols.
• Legal Frameworks**: The project lacks clear legal frameworks for certain biometric data collection, such as iris scans, which could lead to legal and regulatory challenges.
• Data Migration**: The process of migrating data to the new system poses risks of data leakage and loss, especially if not properly managed.

Legal and Governance Challenges

The Supreme Court is set to consider a petition challenging the India-Sri Lanka Memorandum of Understanding (MoU) related to the SL-UDI project. This legal challenge underscores the ongoing concerns over the project's alignment with existing laws and systems. The 1968 Number 32 Persons Registration Act, which provides for the registration of all citizens and the issuance of National Identity Cards, is a key legal framework that the DRP must adhere to.

Overlaps and Governance Issues

Perera’s letter highlights overlaps with existing systems, such as the e-NIC, and warns that the MSI’s management of IT assets could disrupt current governance and security protocols. The limitation of liability clause, which restricts the contractor’s liability to only 10% of the contract value in cases of data breaches, further exacerbates the risks for the Sri Lankan government.

The Role of the Attorney General

The DRP has emphasized the need for the Attorney General’s clearance before signing off on the project. This step is crucial to ensure that the project complies with all legal and regulatory requirements and does not undermine national data sovereignty.

Projections suggest a 30% increase in legal and regulatory scrutiny for digital identity projects in South Asia due to these concerns.

The Bottom Line

Sri Lanka's digital ID project is a double-edged sword. While it has the potential to streamline digital transactions and interactions, the involvement of a foreign MSI raises significant concerns over data sovereignty and security. The legal and governance challenges must be addressed to ensure that the project serves the best interests of the Sri Lankan people without compromising national security.